The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70229	APSC-DV-002350	SV-84851r1_rule		Medium

Description
Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the confidentiality of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Special care must be taken to cryptographically protect classified data.

Description

Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the confidentiality of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Special care must be taken to cryptographically protect classified data.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2018-12-24

Details

Check Text ( C-70705r1_chk )
Review the application documentation and interview the application administrator. Identify the data processed by the application and the accompanying data protection requirements. Determine if the application is processing publicly releasable, SBU, FOUO, or classified data. If the data is strictly publicly releasable information with no SBU, FOUO, or classified and system documentation specifies no data encryption is required for any hosted application data, this requirement is not applicable. Have the application administrator identify the encryption protections that are utilized. Validate the application is using encryption protections that are commensurate with the data being protected. If the application is processing classified data, type 1, suite B cryptography, or hardware-based encryption solutions; meeting NSA encryption requirements for classified data processing and storage is required. If the application processes classified data or if the data owner has specified encryption requirements and the application administrator is unable to demonstrate the type of encryption used or if the application processes classified and does not use type 1, suite B, or NSA-approved hardware-based encryption, this is a finding.

Check Text ( C-70705r1_chk )

Review the application documentation and interview the application administrator.

Identify the data processed by the application and the accompanying data protection requirements.

Determine if the application is processing publicly releasable, SBU, FOUO, or classified data.

If the data is strictly publicly releasable information with no SBU, FOUO, or classified and system documentation specifies no data encryption is required for any hosted application data, this requirement is not applicable.

Have the application administrator identify the encryption protections that are utilized.

Validate the application is using encryption protections that are commensurate with the data being protected.

If the application is processing classified data, type 1, suite B cryptography, or hardware-based encryption solutions; meeting NSA encryption requirements for classified data processing and storage is required.

If the application processes classified data or if the data owner has specified encryption requirements and the application administrator is unable to demonstrate the type of encryption used or if the application processes classified and does not use type 1, suite B, or NSA-approved hardware-based encryption, this is a finding.

Fix Text (F-76465r1_fix)
Identify data elements that require protection. Document the data types and specify encryption requirements. Encrypt classified data using Type 1, Suite B, or other NSA-approved encryption solutions.